9.8 CVE-2021-28799
CISA Kev Catalog Privilege Escalation Buffer Overflow Path Traversal Used by Malware Used by Ransomware
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
https://nvd.nist.gov/vuln/detail/CVE-2021-28799
Categories
CWE-NVD-Other
CWE-285 : Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor. Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs. Go-based continuous deployment product does not check that a user has certain privileges to update or create an app, allowing adversaries to read sensitive repository information Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords. Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users. Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request. Terminal server does not check authorization for guest access. Database server does not use appropriate privileges for certain sensitive operations. Gateway uses default "Allow" configuration for its authorization settings. Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges. Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect. System monitoring software allows users to bypass authorization by creating custom forms. Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client. Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access. Content management system does not check access permissions for private files, allowing others to view those files. ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions. Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files. Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries. Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header. OS kernel does not check for a certain privilege before setting ACLs for files. Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied. Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
References
security@qnapsecurity.com.tw
https://www.qnap.com/en/security-advisory/QSA-21-13 Vendor Advisory |
CPE
cpe | start | end |
---|---|---|
Configuration 1 | ||
AND | ||
cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* | < 16.0.0415 | |
Running on/with | ||
cpe:2.3:a:qnap:qts:4.5.2:*:*:*:*:*:*:* | ||
Configuration 2 | ||
AND | ||
cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* | < 3.0.210412 | |
Running on/with | ||
cpe:2.3:o:qnap:qts:4.3.6:*:*:*:*:*:*:* | ||
Configuration 3 | ||
AND | ||
cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* | < 3.0.210411 | |
Running on/with | ||
cpe:2.3:a:qnap:qts:4.3.3:*:*:*:*:*:*:* | ||
cpe:2.3:a:qnap:qts:4.3.4:*:*:*:*:*:*:* | ||
Configuration 4 | ||
AND | ||
cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* | < 16.0.0419 | |
Running on/with | ||
cpe:2.3:o:qnap:quts_hero:h4.5.1:*:*:*:*:*:*:* | ||
Configuration 5 | ||
AND | ||
cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* | < 16.0.0419 | |
Running on/with | ||
cpe:2.3:o:qnap:qutscloud:*:*:*:*:*:*:*:* | >= c4.5.1 | <= c4.5.4 |
REMEDIATION
EXPLOITS
Exploit-db.com
id | description | date | |
---|---|---|---|
No known exploits |
POC Github
Url |
---|
No known exploits |
Other Nist (github, ...)
Url |
---|
No known exploits |
CAPEC
Common Attack Pattern Enumerations and Classifications
id | description | severity |
---|---|---|
1 | Accessing Functionality Not Properly Constrained by ACLs |
High |
104 | Cross Zone Scripting |
High |
127 | Directory Indexing |
Medium |
13 | Subverting Environment Variable Values |
Very High |
17 | Using Malicious Files |
Very High |
39 | Manipulating Opaque Client-based Data Tokens |
Medium |
402 | Bypassing ATA Password Security |
|
45 | Buffer Overflow via Symbolic Links |
High |
5 | Blue Boxing |
Very High |
51 | Poison Web Service Registry |
Very High |
59 | Session Credential Falsification through Prediction |
High |
60 | Reusing Session IDs (aka Session Replay) |
High |
647 | Collect Data from Registries |
Medium |
668 | Key Negotiation of Bluetooth Attack (KNOB) |
High |
76 | Manipulating Web Input to File System Calls |
Very High |
77 | Manipulating User-Controlled Variables |
Very High |
87 | Forceful Browsing |
High |
MITRE
Techniques
id | description |
---|---|
T1005 | Data from Local System |
T1012 | Query Registry |
T1083 | File and Directory Discovery |
T1134.001 | Access Token Manipulation:Token Impersonation/Theft |
T1550.004 | Use Alternate Authentication Material:Web Session Cookie |
T1552.002 | Unsecured Credentials: Credentials in Registry |
T1562.003 | Impair Defenses:Impair Command History Logging |
T1565.002 | Data Manipulation: Transmitted Data Manipulation |
T1574.005 | Hijack Execution Flow: Executable Installer File Permissions Weakness |
T1574.006 | Hijack Execution Flow:Dynamic Linker Hijacking |
T1574.007 | Hijack Execution Flow:Path Interception by PATH Environment Variable |
T1574.010 | Hijack Execution Flow: ServicesFile Permissions Weakness |
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
Mitigations
id | description |
---|---|
T1005 | Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted. |
T1134.001 | An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. |
T1550.004 | Configure browsers or tasks to regularly delete persistent cookies. |
T1552.002 | If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary. |
T1562.003 | Make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”. |
T1565.002 | Encrypt all important data flows to reduce the impact of tailored modifications on data in transit. |
T1574.005 | Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able. |
T1574.006 | When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple’s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions. Admins can add restrictions to applications by setting the setuid and/or setgid bits, use entitlements, or have a __RESTRICT segment in the Mach-O binary. |
T1574.007 | Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory <code>C:</code> and system directories, such as <code>C:Windows</code>, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories. |
T1574.010 | Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able. |
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation. |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.